Gameover ZeuS
Infection vector Email spam | | |
Author(s) | Evgeniy Bogachev |
---|
GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.
The original GameOver ZeuS was propagated through
In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.
Technical details
Botnet structure
Machines infected with GOZ were integrated into a
The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of
Security
GOZ contained several security features designed to prevent full analysis of the botnet — particularly by restricting the activities of crawlers and sensors
Crawlers were inhibited via various means. Each bot had fifty peers;[12] however, a bot that was requested to provide a list of its peers would only return ten.[13] Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting,[14] halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations.[15]
Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out
In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers.[19] The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network.[4]
A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses.
Interface
The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts.[23] A special token grabber panel existed for man-in-the-browser attacks used to obtain bank login credentials; logging into a bank account usually involves authentication measures in addition to a username and password, such as a one-time-code or security question. The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim.[24] The token grabber panel was titled "World Bank Center", with the slogan "we are playing with your banks".[25] Another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to.[26] Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.[20]
Activity
GOZ was spread using
From 2011 to 2014, all GameOver ZeuS activity was managed by a single crime syndicate. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.[28]
Management
The creator and main developer of GameOver ZeuS was Evgeniy "slavik" Bogachev,[c] the creator of the original Zeus Trojan and the immediate predecessor to GOZ, Jabber Zeus.[25][29]
Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club,[28] mostly Russians and Ukrainians.[30] The network also employed technical support staff for the malware.[6] The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar.[25] Business club members did not exclusively use GOZ and were often members of other malware networks.[31]
In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work.[32] Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.[33]
Bank theft
GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via
The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended.[25] The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the Russia-China border.[39]
CryptoLocker
In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key.[32] Josephine Wolff, assistant professor of cybersecurity policy at Tufts University,[40] has speculated that the motivation behind pivoting to ransomware was for two reasons: firstly to set up a more secure means of making money off of GOZ, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules,[32] whose loyalties were in question since they did not know they were working for criminals; and secondly to take advantage of the criminals' access to data on infected computers that was significant to victims but was of no value to criminals, such as photographs and emails.[41] Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.[28]
About 200,000 computers were attacked by Cryptolocker beginning in 2013.[35] The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen.[42] However, Michael Sandee has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity.[43] Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.[44]
Espionage
Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine,[45] and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government.[46] The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014.[47] OPEC member states were also targeted.[30] Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent",[48] and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense".[46] Botnets used for espionage were run separately from those used for financial crime.
It is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret.[48] Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended,[49] despite living openly and under his own name in Russia.[46]
History
Origins and name
GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1, also known as Jabber Zeus.[50] Jabber Zeus was run by an organized crime syndicate, of which Bogachev was a key member, that had largely dissolved in 2010 due to police action.[28] In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus.[51] In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants.[27][52] Graff has suggested the possibility that Bogachev himself was responsible for the leak.[28]
The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel.[53] Other names have included peer-to-peer ZeuS, ZeuS3,[54] and GoZeus.[55]
Shutdown of the botnet
The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "
On June 2, the Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day.[61] However, authorities also warned that the botnet would likely return within two weeks.[62] On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent.[44] On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest,[63] at the time the largest-ever reward for a cybercriminal.[1][d]
Re-emergence as "newGOZ"
Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies.[66] The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Michael Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into.[52] However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet.[67] The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down".[68]
The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections – the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus.[69] On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ.[70] Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well.[71] As of 2017, variants of Zeus constitute 28% of all banking malware.[72] However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware.[52]
See also
Similar Russian and Eastern European cybercrime groups:
- Avalanche, used botnets and email spam
- Berserk Bear, advanced persistent threat known to employ cybercriminals
- REvil, employed ransomware
Similar botnets:
- Conficker, an extremely prolific botnet at its peak
- Sality, another peer-to-peer botnet
- Torpig, another botnet spread through Trojan horses
- Tiny Banker Trojan, derived from Zeus
- ZeroAccess botnet, also P2P and spread via Trojans
Notes and references
Notes
- ^ In the context of P2P botnet monitoring, a crawler is a program that, using the botnet's communication protocol, requests a given bot's peers, then requests a list of peers from each bot in the original bot's list of peers, and so on until the whole botnet is mapped.[7] A sensor infiltrates the peer list of several bots and logs attempts to contact it from the bots in the network.[8]
- ^ Sinkholing is a technique used to take down botnets in which a special sensor is deployed within the botnet. The sensor, also known as a sinkhole, cuts off contact between bots and their controllers.[16]
- ^ Also known as "lucky12345" and "Pollingsoon".
- Evil Corp head Maksim Yakubets's arrest.[64] Yakubets had previously worked with Bogachev as part of the Jabber Zeus crew.[65]
References
- ^ a b Wolff 2018, p. 59.
- ^ Etaher, Weir & Alazab 2015, p. 1386.
- ^ Andriesse et al. 2013, p. 117.
- ^ a b Wolff 2018, p. 61.
- ^ Andriesse et al. 2013, p. 116.
- ^ a b Sandee 2015, p. 6.
- ^ Karuppayah 2018, p. 4.
- ^ Karuppayah 2018, p. 15.
- ^ Karuppayah 2018, p. 44.
- ^ Silver, Joe (June 2, 2014). "Governments disrupt botnet "Gameover ZeuS" and ransomware "Cryptolocker"". Ars Technica. Archived from the original on June 5, 2023. Retrieved July 21, 2023.
- ^ Stahl, Lesley (April 21, 2019). "The growing partnership between Russia's government and cybercriminals". CBS. Archived from the original on January 18, 2023. Retrieved May 7, 2023.
- ^ Karuppayah 2018, p. 40.
- ^ Karuppayah 2018, p. 20.
- ^ Karuppayah 2018, pp. 22–23.
- ^ Karuppayah 2018, p. 31.
- ^ Karuppayah 2018, p. 79.
- ^ Karuppayah 2018, p. 21.
- ^ Karuppayah 2018, p. 23.
- ^ Andriesse et al. 2013, p. 118.
- ^ a b Sandee 2015, p. 7.
- ^ Etaher, Weir & Alazab 2015, p. 1387.
- ^ Zorabedian, John (March 4, 2014). "SophosLabs: Gameover banking malware now has a rootkit for better concealment". Sophos News. Archived from the original on May 29, 2023. Retrieved July 20, 2023.
- ^ Sandee 2015, p. 15.
- ^ a b Sandee 2015, pp. 16–17.
- ^ a b c d Krebs, Brian (August 5, 2014). "Inside the $100M 'Business Club' Crime Gang". Krebs on Security. Archived from the original on May 27, 2023. Retrieved July 8, 2023.
- ^ Sandee 2015, p. 17.
- ^ a b c d Stone-Gross, Brett (July 23, 2012). "The Lifecycle of Peer to Peer (Gameover) ZeuS". Secureworks. Archived from the original on May 28, 2023. Retrieved July 16, 2023.
- ^ WIRED. Archivedfrom the original on April 23, 2023. Retrieved July 8, 2023.
- ^ Krebs, Brian (February 25, 2015). "FBI: $3M Bounty for ZeuS Trojan Author". Krebs on Security. Archived from the original on April 7, 2023. Retrieved May 5, 2023.
- ^ a b Korolov, Maria (August 7, 2015). "GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC". CSO Online. Archived from the original on July 16, 2023. Retrieved July 16, 2023.
- ^ Sandee 2015, p. 9.
- ^ a b c d Wolff 2018, p. 63.
- ^ Wolff 2018, p. 65.
- ^ Wolff 2018, p. 62.
- ^ a b c Perez, Evan (June 3, 2014). "U.S. takes out computer malware that stole millions". CNN. Archived from the original on June 3, 2023. Retrieved July 21, 2023.
- ^ Etaher, Weir & Alazab 2015, p. 1388.
- S2CID 29356524.
- ^ Musil, Steven (June 2, 2014). "US disrupts $100M GameOver Zeus malware cybercrime ring". CNET. Archived from the original on July 16, 2023. Retrieved July 16, 2023.
- ^ Sandee 2015, pp. 18–20.
- ^ Wolff, Josephine (January 27, 2019). "Two-Factor Authentication Might Not Keep You Safe". The New York Times. Archived from the original on June 27, 2023. Retrieved July 23, 2023.
- ^ Wolff 2018, pp. 69–70.
- ^ Wolff 2018, p. 64.
- ^ Sandee 2015, p. 3.
- ^ a b Wolff 2018, p. 68.
- ^ Sandee 2015, p. 21.
- ^ a b c Schwirtz, Michael; Goldstein, Joseph (March 12, 2017). "Russian Espionage Piggybacks on a Cybercriminal's Hacking". The New York Times. Archived from the original on May 25, 2023. Retrieved July 17, 2023.
- ^ Stevenson, Alastair (August 6, 2015). "The Russian government may be protecting the creator of the world's most infamous malware". Business Insider. Archived from the original on April 23, 2023. Retrieved July 16, 2023.
- ^ a b Brewster, Thomas (August 5, 2015). "FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government". Forbes. Archived from the original on May 8, 2023. Retrieved July 16, 2023.
- ^ Sandee 2015, p. 23.
- ^ Peterson, Sandee & Werner 2015, 8:00–8:33.
- ^ Bartz, Diane (October 29, 2010). "Analysis: Top hacker "retires"; experts brace for his return". Reuters. Archived from the original on December 10, 2022. Retrieved July 23, 2023.
- ^ a b c Sandee 2015, p. 5.
- ^ Peterson, Sandee & Werner 2015, 7:18–7:27.
- ^ Sandee 2015, p. 2.
- ^ Hay, Andrew (March 5, 2020). "Gameover ZeuS Switches From P2P to DGA". Cisco Umbrella. Archived from the original on May 30, 2023. Retrieved July 8, 2023.
- ^ Krebs, Brian (June 2, 2014). "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge". Krebs on Security. Archived from the original on June 4, 2023. Retrieved July 21, 2023.
- ^ a b Franceschi-Bicchierai, Lorenzo (August 12, 2015). "How the FBI Took Down the Botnet Designed to Be 'Impossible' to Take Down". VICE. Archived from the original on June 22, 2022. Retrieved July 21, 2023.
- ^ Wolff 2018, pp. 64–66.
- ^ Peterson, Sandee & Werner 2015, 41:06–41:31.
- ^ a b Wolff 2018, p. 67.
- SSRN 3238293. – via ResearchGate
- ^ Dignan, Larry (June 2, 2014). "GameOver Zeus botnet seized; Two week window to protect yourself, say authorities". ZDNET. Archived from the original on July 2, 2023. Retrieved July 23, 2023.
- ^ Kravets, David (February 24, 2015). "US offers $3 million reward for capture of GameOver ZeuS botnet admin". Ars Technica. Archived from the original on April 16, 2023. Retrieved July 21, 2023.
- Radio Free Europe. Archivedfrom the original on July 22, 2023. Retrieved July 23, 2023.
- ^ Krebs, Brian (November 15, 2022). "Top Zeus Botnet Suspect "Tank" Arrested in Geneva". Krebs on Security. Archived from the original on April 10, 2023. Retrieved May 7, 2023.
- ^ Krebs, Brian (July 10, 2014). "Crooks Seek Revival of 'Gameover Zeus' Botnet". Krebs on Security. Archived from the original on February 1, 2023. Retrieved July 7, 2023.
- ^ Brewster, Tom (July 11, 2014). "Gameover Zeus returns: thieving malware rises a month after police action". The Guardian. Archived from the original on January 24, 2023. Retrieved July 7, 2023.
- ^ Constantin, Lucian (July 11, 2014). "The Gameover Trojan program is back, with some modifications". CSO Online. Archived from the original on July 7, 2023. Retrieved July 7, 2023.
- ^ Cosovan, Doina (August 6, 2014). "Gameover Zeus Variants Targeting Ukraine, US". Bitdefender Blog. Archived from the original on May 16, 2022. Retrieved July 8, 2023.
- ^ Constantin, Lucian (August 14, 2014). "New Gameover Zeus botnet keeps growing, especially in the US". CSO Online. Archived from the original on July 8, 2023. Retrieved July 8, 2023.
- ^ Asher-Dotan, Lital (July 1, 2015). "The FBI vs. GameOver Zeus: Why The DGA-Based Botnet Wins". Malicious Life by Cybereason. Archived from the original on March 7, 2022. Retrieved July 23, 2023.
- S2CID 88494516.
General sources
- Andriesse, Dennis; Rossow, Christian; Stone-Gross, Brett; Plohmann, Daniel; Bos, Herbert (October 22–24, 2013). "Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus" (PDF). 2013 8th International Conference on Malicious and Unwanted Software: "The Americas". International Conference on Malicious and Unwanted Software. S2CID 18391912.
- Etaher, Najla; Weir, George R.S.; Alazab, Mamoun (August 20–22, 2015). "From ZeuS to Zitmo: Trends in Banking Malware" (PDF). 2015 IEEE Trustcom/BigDataSE/ISPA. IEEE International Conference on Trust, Security and Privacy in Computing and Communications. S2CID 2703081.
- Karuppayah, Shankar (2018). Advanced Monitoring in P2P Botnets: A Dual Perspective. S2CID 1919346.
- Peterson, Elliott; Sandee, Michael; Werner, Tillmann (August 5, 2015). GameOver Zeus: Badguys And Backends (Speech). Black Hat Briefings. Las Vegas. Archived from the original on March 31, 2023. Retrieved May 7, 2023. (Full speech via YouTube.)
- Sandee, Michael (August 5, 2015). GameOver ZeuS: Backgrounds on the Badguys and the Backends (PDF). Black Hat Briefings. Las Vegas.
- Wolff, Josephine (2018). You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. S2CID 159378060.